Bug ID 612954: IKEv1 log line warns proxy-support must be enabled for v1 peers to work

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Aug 26, 2016
Severity: 3-Major

Symptoms

If you disable proxy-support inside a v1 ike-peer, the config will not work because the racoon daemon cannot send proper identifying information to tmm in a GETSPI request. (The source appears to be localhost 127.0.0.1, which does not identify the peer, so no SPI can be allocated.)

Impact

IPsec tunnels for IKEv1 cannot be established when proxy-support is disabled in the racoon daemon.

Conditions

In a v1 ike-peer, disable proxy-support.

Workaround

Enable proxy-support in the ike-peer config definition. Note: In a v1 ike-peer, proxy-support must be enabled for a v1 peer to work. This is the default value, and should not be changed.

Fix Information

On the responder side, a logged line will say 'check IKE-PEER proxy support' in part of the message, to explains GETSPI failure, as a suggestion to fix this in the ike-peer config.

Behavior Change